W3C Web Security IG - take away from 21st January call and next steps

Hi all,

A short take away from our call on the 21st of January. This  does not replace the detailed minutes available here : http://www.w3.org/2014/01/21-websec-minutes.html

Terri from intel, Larry from adobe, virginie from gemalto, karen from isoc, andrew from verisign, wendy/nick/dom from W3C, jeff from eBay/paypal, fan from irdetto, hannes from NSN, stephen from ietf.

         IETF synchronization with Stephen Farrell, IETF Security area director
Stephen reminded the different initiatives related to security in IETF that could be of interest for this IG, including the activities of the tls wg http://tools.ietf.org/wg/tls/  , http auth wg http://tools.ietf.org/wg/httpauth/, web authorization protocol wg http://tools.ietf.org/wg/oauth/ , web pki http://tools.ietf.org/wg/wpkops/ , websec wg http://tools.ietf.org/wg/websec/ , uta wg http://tools.ietf.org/wg/uta/
Stephen discussed also the ietf security review process, which is based on a pool of 40 security experts reviewing 1 spec every 2 months, and maintain some security guidelines.
Stephen reported also the impressive number of 68 submissions for the Strint workshop https://www.w3.org/2014/strint/ planned last feb/first march in London on strengthening the internet.
Stephen reminded that liaison with W3C and ietf is happening every couple of months with Wendy and Mark N.
Some questions were raised about the synchronization between whatwg and ietf, the web origin concept endorsement...
As a follow up, the Web Security IG will monitor the outcome of the STRINT workshop as it may kick of new technical work in IETF, that may impact W3C.

         W3C TAG discussions
Virginie reported some discussion during last W3C TAG F2F meeting, where the idea of having more security review, more people with security expertise in W3C received a positive feedback. One should note that TAG is now working on a 'secure the web' item https://github.com/w3ctag/secure-the-web.

         W3C Web Security IG work
The W3C Web Security IG has a wiki http://www.w3.org/Security/wiki/IG reflecting the possible work we could do, split into 5 topics : security review, understanding theweb security model, mobile security study, new features that could be developed in W3C, scouting technologies. A call for leader or contributor is made to those topics.
Larry mentioned the missing topic of cloud security --> to be analyzed further.
Dom reminded the purpose of the mobile security analysis, which intention is to take web apps security use case and identify technical solution/gaps to address it.

         Next steps
The Web Security IG decided not to have regular monthly call, unless specific topic would require it. Further exchanges will be held on the mailing list.
Action to all : identify area on which you could contribute.

Thanks again to Stephen for spending time with us, and thanks to Karen for scribing.


This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus

Received on Wednesday, 22 January 2014 17:28:30 UTC